High-impact SSRF and request smuggling bugs among flaws addressed in bumper patch cycle

Developers fix multitude vulnerabilities in Apache HTTP Server with new release

Numerous vulnerabilities have been identified and fixed in Apache HTTP Server 2.4, including high-impact server-side request forgery (SSRF) and request smuggling bugs.

The Apache HTTP Server Project is a collaborative project to develop and maintain an open source software-based HTTP server for modern operating systems including UNIX and Windows. The technology is claimed to be the most popular web server on the internet.


Catch up with the latest secure development news


A high-severity vulnerability with a CVSS score of 8.1, CVE-2021-40438, was discovered by the Apache HTTP security team. The security flaw allows a remote attacker to perform SSRF attacks, and stems from insufficient validation of user-supplied input within the mod proxy module.

Sending a specially crafted HTTP request with a chosen uri-path could trick the web server into initiating requests to arbitrary systems. This would allow the attacker to gain access to sensitive data in the local network or send malicious requests to other servers.

Meanwhile, CVE-2021-33193, rated as a moderate severity vulnerability, was reported by PortSwigger security researcher James Kettle on May 11.

The flaw allows a crafted method sent through HTTP/2 to bypass validation controls and get forwarded by mod proxy, potentially leading to request splitting or cache poisoning.

Those interested in learning more about Kettle’s HTTP/2 request smuggling research should check out our recent coverage from Black Hat USA.

Patches issued on 16 September resolves these vulnerabilities, along with three others. These include a medium-severity NULL pointer dereference error, a boundary condition in module mod proxy uwsgi that could trigger a denial of service (system crash) condition and a low impact flaw only involving third party modules.

All five flaws are resolved with HTTP Server 2.4.49.

Check out Apache’s release notes for full details, here.


YOU MAY ALSO LIKE VMware security warning: Multiple vulnerabilities in vCenter Server could allow remote network access